rule RAN_MedusaLocker_July_2021_1
{
    meta:
        description = "Detect MedusaLocker ransomware"
        author = "Arkbird_SOLG"
        date = "2021-07-25"
        reference = "https://twitter.com/r3dbU7z/status/1418433910057353217"
        hash1 = "033b4950a8f249b20eb86ec6f8f2ea0a1567bb164289d1aa7fb0ba51f9bbe46c"
        hash2 = "0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad"
        hash3 = "c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc"
        hash4 = "f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31"
        tlp = "white"
        adversary = "RaaS"
    strings:
        $s1 = { 76 00 73 00 73 00 61 00 64 00 6d 00 69 00 6e 00 2e 00 65 00 78 00 65 00 20 00 52 00 65 00 73 00 69 00 7a 00 65 00 20 00 53 00 68 00 61 00 64 00 6f 00 77 00 53 00 74 00 6f 00 72 00 61 00 67 00 65 00 20 00 2f 00 66 00 6f 00 72 00 3d 00 ?? 00 3a 00 20 00 2f 00 6f 00 6e 00 3d 00 ?? 00 3a 00 20 00 2f 00 6d 00 61 00 78 00 73 00 69 00 7a 00 65 00 3d } 
        $s2 = { 64 00 65 00 6c 00 20 00 2f 00 73 00 20 00 2f 00 66 00 20 00 2f 00 71 00 20 00 ?? 00 3a 00 5c 00 2a 00 2e 00 56 00 48 00 44 00 20 00 ?? 00 3a 00 5c 00 2a 00 2e 00 62 00 61 00 63 00 20 00 ?? 00 3a 00 5c 00 2a 00 2e 00 62 00 61 00 6b 00 20 00 ?? 00 3a 00 5c 00 2a 00 2e 00 77 00 62 00 63 00 61 00 74 00 20 00 ?? 00 3a 00 5c 00 2a 00 2e 00 62 00 6b 00 66 00 20 00 ?? 00 3a 00 5c 00 42 00 61 00 63 00 6b 00 75 00 70 00 2a 00 2e 00 2a 00 20 00 ?? 00 3a 00 5c 00 62 00 61 00 63 00 6b 00 75 00 70 00 2a 00 2e 00 2a 00 20 00 ?? 00 3a 00 5c 00 2a 00 2e 00 73 00 65 00 74 00 20 00 ?? 00 3a 00 5c 00 2a 00 2e 00 77 00 69 00 6e 00 20 00 ?? 00 3a 00 5c 00 2a 00 2e 00 64 00 73 00 6b }
        $s3 = { 62 00 63 00 64 00 65 00 64 00 69 00 74 00 2e 00 65 00 78 00 65 00 20 00 2f 00 73 00 65 00 74 00 20 00 7b 00 64 00 65 00 66 00 61 00 75 00 6c 00 74 00 7d 00 20 00 62 00 6f 00 6f 00 74 00 73 00 74 00 61 00 74 00 75 00 73 00 70 00 6f 00 6c 00 69 00 63 00 79 00 20 00 69 00 67 00 6e 00 6f 00 72 00 65 00 61 00 6c 00 6c 00 66 00 61 00 69 00 6c 00 75 00 72 00 65 00 73 }
        $s4 = { 42 67 49 41 41 41 43 6b 41 41 42 53 55 30 45 78 }
        $s5 = "wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest" fullword wide
        $s6 = { 62 00 63 00 64 00 65 00 64 00 69 00 74 00 2e 00 65 00 78 00 65 00 20 00 2f 00 73 00 65 00 74 00 20 00 7b 00 64 00 65 00 66 00 61 00 75 00 6c 00 74 00 7d 00 20 00 72 00 65 00 63 00 6f 00 76 00 65 00 72 00 79 00 65 00 6e 00 61 00 62 00 6c 00 65 00 64 00 20 00 4e 00 6f }
        $s7 = { 76 00 73 00 73 00 61 00 64 00 6d 00 69 00 6e 00 2e 00 65 00 78 00 65 00 20 00 44 00 65 00 6c 00 65 00 74 00 65 00 20 00 53 00 68 00 61 00 64 00 6f 00 77 00 73 00 20 00 2f 00 41 00 6c 00 6c 00 20 00 2f 00 51 00 75 00 69 00 65 00 74 }
        $s8 = { 77 00 6d 00 69 00 63 00 2e 00 65 00 78 00 65 00 20 00 53 00 48 00 41 00 44 00 4f 00 57 00 43 00 4f 00 50 00 59 00 20 00 2f 00 6e 00 6f 00 69 00 6e 00 74 00 65 00 72 00 61 00 63 00 74 00 69 00 76 00 65 }
        $s9 = { 77 00 62 00 61 00 64 00 6d 00 69 00 6e 00 20 00 44 00 45 00 4c 00 45 00 54 00 45 00 20 00 53 00 59 00 53 00 54 00 45 00 4d 00 53 00 54 00 41 00 54 00 45 00 42 00 41 00 43 00 4b 00 55 00 50 }
        $s10 = { 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 20 4c 49 53 54 20 4f 46 20 45 4e 43 52 59 50 54 45 44 20 46 49 4c 45 53 20 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 0d 0a }
        $x1 = { 48 89 5c 24 08 57 48 83 ec 30 48 8b da 48 8b f9 e8 0b fe ff ff 44 8b 43 08 48 8d 47 28 44 2b 03 45 33 c9 48 8b 13 48 8b 4f 20 48 89 44 24 28 c7 44 24 20 00 00 00 00 ff 15 [2] 07 00 85 c0 74 12 c6 47 08 01 48 8b c7 48 8b 5c 24 40 48 83 c4 30 5f c3 ff 15 [2] 07 00 48 8b 5c 24 40 89 47 34 48 8b c7 }
    condition:
       uint16(0) == 0x5A4D  and filesize > 150KB and 9 of ($s*) and $x1
}  
